Information
This policy setting ensures that unauthorized certificate installation files (*.p12 and *.pfx) are not installed on the system. *.p12 and *.pfx files are a binary format used for storing the server certificate, any intermediate certificates, and the private key into a single encryptable file.
The STIG recommended state for this setting is: Remove all *.p12 and *.pfx files.
Note: This does not apply to server-based applications that have a requirement for .p12 certificate files or Adobe PreFlight certificate files.
Use of software certificates and their accompanying installation files for end users to access resources is less secure than the use of hardware-based certificates.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Remove any certificate installation files *.p12 and *.pfx found on a system.
Note: The Certificate Store can be loaded by executing the
Microsoft Management Console (MMC)
and loading the
Certificates
snap-in.
Note #2: This does not apply to server-based applications that have a requirement for .p12 certificate files or Adobe PreFlight certificate files. Some applications create files with extensions of .p12 that are not certificate installation files. Removal of non-certificate installation files from systems is not required. These must be documented with the ISSO.
Impact:
*.p12 and *.pfx
will not be allowed on the system.
Note: This does not apply to server-based applications that have a requirement for .p12 certificate files or Adobe PreFlight certificate files. Some applications create files with extensions of .p12 that are not certificate installation files. Removal of non-certificate installation files from systems is not required. These must be documented with the ISSO.